TLS
HTTPS for small business: how to enable it in 15 minutes.
Published 2026-04-19 · Last updated 2026-04-19 · Vantyris editorial
If your site loads on `http://` rather than `https://`, every modern browser shows your visitors a 'Not secure' warning before they see your content. Chrome blocks form submissions on HTTP. Your conversion rate suffers, your search ranking suffers, and any data your visitors send (login credentials, contact form details) travels the public internet in plain text. HTTPS is no longer optional, and getting it costs nothing.
What this means for your business
- Browsers haven't tolerated HTTP-only sites for years. Chrome shows 'Not secure' in the address bar; Firefox does the same; Safari warns on any form. Visitors interpret that as 'this business is sketchy' and bounce.
- Without HTTPS, anything posted to your contact form, login page, or checkout travels unencrypted. Anyone on the same Wi-Fi network as your visitor can intercept it.
- Google has used HTTPS as a ranking signal since 2014. An HTTP-only site sits below equivalent HTTPS competitors on SERPs.
- Let's Encrypt provides free certificates that every modern web host can deploy with one toggle. There is no cost barrier to HTTPS in 2026.
How to fix
Enable a Let's Encrypt certificate at your web host or Cloudflare, then set up the HTTP-to-HTTPS redirect so old links keep working.
- Check whether your host offers Let's Encrypt. Most modern hosts (Hostinger, SiteGround, WP Engine, Cloudways, Fly, Render, Vercel) include Let's Encrypt as a one-click toggle. Log in to your hosting control panel, find the SSL section, and look for `Let's Encrypt` or `Free SSL`.
- Turn it on. Click the toggle. Most hosts take 1-5 minutes to issue the certificate. You'll see a confirmation when it's active.
- Set the HTTP-to-HTTPS redirect. Now you have HTTPS, but visitors typing `http://yourdomain.com` will still hit the unencrypted version. Most hosts have a 'Force HTTPS' or 'HTTPS Redirect' toggle next to the SSL setting. Turn it on.
- Test it. Open an incognito browser and visit `http://yourdomain.com` (with `http://` explicitly). It should redirect to `https://yourdomain.com`. Check the padlock icon in the address bar.
- (Optional) Add HSTS. Once HTTPS works for a week or two, add a Strict-Transport-Security header. This tells browsers to never load your site over HTTP again, even if a visitor types `http://`. Most hosts let you add headers in the config; if not, your CDN (Cloudflare's free tier) can.
Owner: Your web host's support team. · Time: 15 minutes if your host supports Let's Encrypt natively.
Common gotchas
- After enabling HTTPS, check that all images, scripts, and stylesheets on the page also load over HTTPS. A page mixing HTTPS and HTTP resources triggers a 'mixed content' warning. Most modern hosts handle this automatically; older sites with hard-coded `http://` URLs in the CMS need a database search-and-replace.
- If your site is fronted by Cloudflare, set SSL mode to 'Full (strict)', not 'Flexible'. Flexible decrypts at Cloudflare and serves HTTP to your origin, which is half-secure.
- Don't forget the redirect. Without the HTTP-to-HTTPS redirect, you have two parallel copies of your site (an HTTP one and an HTTPS one) which confuses search engines and visitors alike.
How to verify the fix
Run a Vantyris teaser scan; it confirms HTTPS is configured and the redirect is in place. Or paste your domain into ssllabs.com/ssltest for a detailed grade.
Cyber Essentials alignment
This finding informs the following UK NCSC Cyber Essentials control areas:
- A2. Secure configuration — devices and services hardened against the inherent default vulnerabilities.
Vantyris is not a CE certifying body. The mapping above is informational.
Common follow-up questions
Do I need to pay for a 'real' certificate from a CA?
No. Let's Encrypt certificates are accepted by every modern browser and are technically equivalent to paid ones. Paid certs only add brand recognition (DigiCert, Sectigo) or extended validation (the green bar, which most browsers have removed).
Will enabling HTTPS slow my site down?
No, the opposite. HTTPS enables HTTP/2 and HTTP/3, which are faster than HTTP/1.1. Sites are measurably quicker after enabling HTTPS.
What if my certificate expires?
Let's Encrypt certs expire every 90 days and renew automatically via your host. If auto-renewal breaks, your host emails you. Set a calendar reminder if you want belt-and-braces.
References
- Let's Encrypt: getting started Vendor
- NCSC: TLS for external-facing services NCSC
- MDN: Strict-Transport-Security MDN
Related explainers
- HSTS: the security header that locks HTTPS on for good.
- TLS 1.0 and 1.1: turn them off. Here's why and how.
Want Vantyris to scan your domain for this and 80 other findings?
Free teaser scan, no card. Verified scan from €10 with the full workspace around it: workflow, score trend, three PDF layouts, share links, monitoring.
Vantyris editorial team · methodology v1.0.0